Thanks for this, it is a good answer to my original problem, but not the actual question! So I'll upvote for usefulness, but I can't mark it as the accepted answer. I think the service manager is the right place to do this sort of thing.
– Alex ForbesApr 17 at 19:40

@AlexForbes Systemd is absolutely the wrong place to do this sort of thing. You may need different deploy hooks for each DNS name, for instance, (e.g. getting certs for both nginx and postfix, each with different names) and that gets completely unmaintainable if you try to cram it into a systemd unit or override.
– Michael Hampton♦Apr 18 at 2:34

We're getting into a philosophical debate here, but by "sort of thing", I mean coupling services together. Systemd is absolutely the right place to declare service dependencies. It's one of the main reasons it exists. I think it's actually an interesting debate but this comment field is too limited so I'm going to break down my thoughts on when to use generalist vs domain-specific solutions into a blog post when I have more time. I'll link it here, would be interested in your thoughts!
– Alex ForbesApr 18 at 11:19